NOTE: Hosted products VMware Workstation 5.x, VMware Player 1.x,and VMware ACE 1.x will reach end of general support2008-11-09. Customers should plan to upgrade to the latestversion of their respective products.

Extended support (Security and Bug fixes) for ESX 3.0.2 endson 10/29/2008 and Extended support for ESX 3.0.2 Update 1ends on 8/8/2009. Users should plan to upgrade to ESX 3.0.3and preferably to the newest release available.

Extended Support (Security and Bug fixes) for ESX 3.0.1 hasended on 2008-07-31. The 3.0.1 patches are released inAugust because there was no patch release in July.

3. Problem Description

I Security Issues

a. Setting ActiveX killbitStarting from this release, VMware has set the killbit on itsActiveX controls. Setting the killbit ensures that ActiveXcontrols cannot run in Internet Explorer (IE), and avoidsMicrosoft KB article 240797 and the related references on thistopic.Security vulnerabilities have been reported for ActiveX controlsprovided by VMware when run in IE. Under specific circumstances,exploitation of these ActiveX controls might result in denial-of-service or can allow running of arbitrary code when the userbrowses a malicious Web site or opens a malicious file in IEbrowser. An attempt to run unsafe ActiveX controls in IE mightresult in pop-up windows warning the user.Note: IE can be configured to run unsafe ActiveX controls withoutprompting. VMware recommends that you retain the defaultsettings in IE, which prompts when unsafe actions arerequested.Earlier, VMware had issued knowledge base articles, KB 5965318 andKB 9078920 on security issues with ActiveX controls. To avoidmalicious scripts that exploit ActiveX controls, do not enableunsafe ActiveX objects in your browser settings. As a bestpractice, do not browse untrusted Web sites as an administratorand do not click OK or Yes if prompted by IE to allow certainactions.VMware would like to thank Julien Bachmann, Shennan Wang, Shinnai,and Michal Bucko for reporting these issues to us.The Common Vulnerabilities and Exposures Project (cve.mitre.org)has assigned the names CVE-2008-3691, CVE-2008-3692,CVE-2008-3693, CVE-2008-3694, CVE-2008-3695, CVE-2007-5438, andCVE-2008-3696 to the security issues with VMware ActiveX controls.

VMware Product

Product Version

Running on

Replace with/ Apply Patch

VMware Product
VirtualCenter

Product Version
any

Running on
Windows

Replace with/ Apply Patch
not affected

VMware Product
Workstation

Product Version
6.x

Running on
Windows

Replace with/ Apply Patch
6.0.5 build 109488 or later

VMware Product
Workstation

Product Version
6.x

Running on
Linux

Replace with/ Apply Patch
not affected

VMware Product
Workstation

Product Version
5.x

Running on
Windows

Replace with/ Apply Patch
5.5.8 build 108000 or later

VMware Product
Workstation

Product Version
5.x

Running on
Linux

Replace with/ Apply Patch
not affected

VMware Product
Player

Product Version
2.x

Running on
Windows

Replace with/ Apply Patch
2.0.5 build 109488 or later

VMware Product
Player

Product Version
2.x

Running on
Linux

Replace with/ Apply Patch
not affected

VMware Product
Player

Product Version
1.x

Running on
Windows

Replace with/ Apply Patch
1.0.8 build or later

VMware Product
Player

Product Version
1.x

Running on
Linux

Replace with/ Apply Patch
not affected

VMware Product
ACE

Product Version
2.x

Running on
Windows

Replace with/ Apply Patch
2.0.5 build 109488 or later

VMware Product
ACE

Product Version
1.x

Running on
Windows

Replace with/ Apply Patch
1.0.7 build 108880 or later

VMware Product
Server

Product Version
1.x

Running on
Windows

Replace with/ Apply Patch
1.0.7 build 108231 or later

VMware Product
Server

Product Version
1.x

Running on
Linux

Replace with/ Apply Patch
not affected

VMware Product
Fusion

Product Version
1.x

Running on
Mac OS/X

Replace with/ Apply Patch
not affected

VMware Product
Fusion

Product Version
2.x

Running on
Mac OS/X

Replace with/ Apply Patch
not affected

VMware Product
ESXi

Product Version
3.5

Running on
ESXi

Replace with/ Apply Patch
not affected

VMware Product
ESX

Product Version
any

Running on
ESX

Replace with/ Apply Patch
not affected

b. VMware ISAPI Extension Denial of Service

The Internet Server Application Programming Interface (ISAPI) isan API that extends the functionality of Internet InformationServer (IIS). VMware uses ISAPI extensions in its Server product.One of the ISAPI extensions provided by VMware is vulnerable to aremote denial of service. By sending a malformed request, IISmight shut down. IIS 6.0 restarts automatically. However, IIS 5.0does not restart automatically when its Startup Type is set to Manual.VMware would like to thank the Juniper Networks J-SecuritySecurity Research Team for reporting this issue to us.The Common Vulnerabilities and Exposures Project (cve.mitre.org)has assigned the name CVE-2008-3697 to this issue.

VMware Product

Product Version

Running on

Replace with/ Apply Patch

VMware Product
VirtualCenter

Product Version
any

Running on
Windows

Replace with/ Apply Patch
not affected

VMware Product
Workstation

Product Version
6.x

Running on
Windows

Replace with/ Apply Patch
not affected

VMware Product
Workstation

Product Version
6.x

Running on
Linux

Replace with/ Apply Patch
not affected

VMware Product
Workstation

Product Version
5.x

Running on
Windows

Replace with/ Apply Patch
not affected

VMware Product
Workstation

Product Version
5.x

Running on
Linux

Replace with/ Apply Patch
not affected

VMware Product
Player

Product Version
2.x

Running on
Windows

Replace with/ Apply Patch
not affected

VMware Product
Player

Product Version
2.x

Running on
Linux

Replace with/ Apply Patch
not affected

VMware Product
Player

Product Version
1.x

Running on
Windows

Replace with/ Apply Patch
not affected

VMware Product
Player

Product Version
1.x

Running on
Linux

Replace with/ Apply Patch
not affected

VMware Product
ACE

Product Version
2.x

Running on
Windows

Replace with/ Apply Patch
not affected

VMware Product
ACE

Product Version
1.x

Running on
Windows

Replace with/ Apply Patch
not affected

VMware Product
Server

Product Version
1.x

Running on
Windows

Replace with/ Apply Patch
1.0.7 build 108231 or later

VMware Product
Server

Product Version
1.x

Running on
Linux

Replace with/ Apply Patch
not affected

VMware Product
Fusion

Product Version
1.x

Running on
Mac OS/X

Replace with/ Apply Patch
not affected

VMware Product
Fusion

Product Version
2.x

Running on
Mac OS/X

Replace with/ Apply Patch
not affected

VMware Product
ESXi

Product Version
3.5

Running on
ESXi

Replace with/ Apply Patch
not affected

VMware Product
ESX

Product Version
any

Running on
ESX

Replace with/ Apply Patch
not affected

c. OpenProcess Local Privilege Escalation on Host System

This release fixes a privilege escalation vulnerability in hostsystems. Exploitation of this vulnerability allows users to runarbitrary code on the host system with elevated privileges.VMware would like to thank Sun Bing from McAfee, Inc. forreporting this issue to us.The Common Vulnerabilities and Exposures Project (cve.mitre.org)has assigned the name CVE-2008-3698 to this issue.

VMware Product

Product Version

Running on

Replace with/ Apply Patch

VMware Product
VirtualCenter

Product Version
any

Running on
Windows

Replace with/ Apply Patch
not affected

VMware Product
Workstation

Product Version
6.x

Running on
Windows

Replace with/ Apply Patch
not affected

VMware Product
Workstation

Product Version
6.x

Running on
Linux

Replace with/ Apply Patch
not affected

VMware Product
Workstation

Product Version
5.x

Running on
Windows

Replace with/ Apply Patch
5.5.8 build 108000 or later

VMware Product
Workstation

Product Version
5.x

Running on
Linux

Replace with/ Apply Patch
not affected

VMware Product
Player

Product Version
2.x

Running on
Windows

Replace with/ Apply Patch
not affected

VMware Product
Player

Product Version
2.x

Running on
Linux

Replace with/ Apply Patch
not affected

VMware Product
Player

Product Version
1.x

Running on
Windows

Replace with/ Apply Patch
1.0.8 build 108880 or later

VMware Product
Player

Product Version
1.x

Running on
Linux

Replace with/ Apply Patch
not affected

VMware Product
ACE

Product Version
2.x

Running on
Windows

Replace with/ Apply Patch
not affected

VMware Product
ACE

Product Version
1.x

Running on
Windows

Replace with/ Apply Patch
1.0.7 build 108880 or later

VMware Product
Server

Product Version
1.x

Running on
Windows

Replace with/ Apply Patch
1.0.7 build 108231 or later

VMware Product
Server

Product Version
1.x

Running on
Linux

Replace with/ Apply Patch
not affected

VMware Product
Fusion

Product Version
1.x

Running on
Mac OS/X

Replace with/ Apply Patch
not affected

VMware Product
Fusion

Product Version
2.x

Running on
Mac OS/X

Replace with/ Apply Patch
not affected

VMware Product
ESXi

Product Version
3.5

Running on
ESXi

Replace with/ Apply Patch
not affected

VMware Product
ESX

Product Version
any

Running on
ESX

Replace with/ Apply Patch
not affected

d. Update to Freetype

FreeType 2.3.6 resolves an integer overflow vulnerability and othervulnerabilities that can allow malicious users to run arbitrary codeor might cause a denial-of-service after reading a maliciouslycrafted file. This release updates FreeType to 2.3.7.The Common Vulnerabilities and Exposures Project (cve.mitre.com)has assigned the names CVE-2008-1806, CVE-2008-1807, andCVE-2008-1808 to the issues resolved in Freetype 2.3.6.

VMware Product

Product Version

Running on

Replace with/ Apply Patch

VMware Product
VirtualCenter

Product Version
any

Running on
Windows

Replace with/ Apply Patch
not affected

VMware Product
Workstation

Product Version
6.x

Running on
Windows

Replace with/ Apply Patch
not affected

VMware Product
Workstation

Product Version
6.x

Running on
Linux

Replace with/ Apply Patch
6.0.5 build 109488 or later

VMware Product
Workstation

Product Version
5.x

Running on
Windows

Replace with/ Apply Patch
not affected

VMware Product
Workstation

Product Version
5.x

Running on
Linux

Replace with/ Apply Patch
5.5.8 build 108000 or later

VMware Product
Player

Product Version
2.x

Running on
Windows

Replace with/ Apply Patch
not affected

VMware Product
Player

Product Version
2.x

Running on
Linux

Replace with/ Apply Patch
2.0.5 build 109488 or later

VMware Product
Player

Product Version
1.x

Running on
Windows

Replace with/ Apply Patch
not affected

VMware Product
Player

Product Version
1.x

Running on
Linux

Replace with/ Apply Patch
1.0.8 build 108000 or later

VMware Product
ACE

Product Version
2.x

Running on
Windows

Replace with/ Apply Patch
not affected

VMware Product
ACE

Product Version
1.x

Running on
Windows

Replace with/ Apply Patch
not affected

VMware Product
Server

Product Version
1.x

Running on
Windows

Replace with/ Apply Patch
not affected

VMware Product
Server

Product Version
1.x

Running on
Linux

Replace with/ Apply Patch
1.0.7 build 108231 or later

VMware Product
Fusion

Product Version
1.x

Running on
Mac OS/X

Replace with/ Apply Patch
upgrade to Fusion 2.0

VMware Product
Fusion

Product Version
2.x

Running on
Mac OS/X

Replace with/ Apply Patch
not affected

VMware Product
ESXi

Product Version
3.5

Running on
ESXi

Replace with/ Apply Patch
not affected

VMware Product
ESX

Product Version
3.5

Running on
ESX

Replace with/ Apply Patch
not affected

VMware Product
ESX

Product Version
3.0.3

Running on
ESX

Replace with/ Apply Patch
not affected

VMware Product
ESX

Product Version
3.0.2

Running on
ESX

Replace with/ Apply Patch
not affected

VMware Product
ESX

Product Version
3.0.1

Running on
ESX

Replace with/ Apply Patch
not affected

VMware Product
ESX

Product Version
2.5.5

Running on
ESX

Replace with/ Apply Patch
ESX 2.5.5 upgrade patch 10 or later

VMware Product
ESX

Product Version
2.5.4

Running on
ESX

Replace with/ Apply Patch
ESX 2.5.4 upgrade patch 20

e. Update to Cairo

Cairo 1.4.12 resolves an integer overflow vulnerability that canallow malicious users to run arbitrary code or might cause adenial-of-service after reading a maliciously crafted PNG file.This release updates Cairo to 1.4.14.The Common Vulnerabilities and Exposures (cve.mitre.com) hasassigned the name CVE-2007-5503 to this issue.

VMware Consolidated Backup command-line utilities accept the userpassword through the -p command-line option. Users logged into theESX service console or into the system that runs VCB could gainaccess to the username and password used by VCB command-lineutilitieswhen such commands are running.The ESX patch and the new version of VCB resolve this issue byproviding an alternative way of passing the password used by VCBcommand-line utilities.VCB in ESX----------The following options are recommended for passing the password:1. The password is specified in /etc/backuptools.conf(PASSWORD=xxxxx), and -p is not used in the command line./etc/backuptools.conf file permissions are read/write onlyfor root.2. No password is specified in /etc/backuptools.conf and the-p option is not used in the command line. The user will beprompted to enter a password.ESX is not affected unless you use VCB.Stand-alone VCB---------------The following options are recommended for passing the password:1. The password is specified in config.js (PASSWORD=xxxxx), and -pis not used in the command line. The file permissions on config.jsare read/write only for the administrator. The config.js file islocated in folder "config" of the VCB installation folder. Forexample,C:\Program Files\Vmware\Vmware Consolidated Backup Framework\config.2. The password is specified in the registry, and is not specified inconfig.js, and -p is not used in the command line. Access to theregistry key holding the password is allowed only to theadministrator.The location of the registry key is:On Windows x86: HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Consolidated Backup\PasswordOn Windows x64: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Consolidated Backup\Password3. The password is not specified in the registry, and is notspecified inconfig.js, and -p is not used in the command line. The user will beprompted to enter a password.The Common Vulnerabilities and Exposures project (cve.mitre.org)has assigned the name CVE-2008-2101 to this issue.

Several flaws were discovered in the way third party librarylibpng handled various PNG image chunks. An attacker couldcreate a carefully crafted PNG image file in such a way thatit causes an application linked with libpng to crash when thefile is manipulated.The Common Vulnerabilities and Exposures project (cve.mitre.org)has assigned the name CVE-2007-5269 to this issue.NOTE: There are multiple patches required to remediate the issue.

VMware Product

Product Version

Running on

Replace with/ Apply Patch

VMware Product
VirtualCenter

Product Version
any

Running on
Windows

Replace with/ Apply Patch
not affected

VMware Product
hosted *

Product Version
any

Running on
any

Replace with/ Apply Patch
not affected

VMware Product
ESXi

Product Version
3.5

Running on
ESXi

Replace with/ Apply Patch
ESXe350-200808501-I-SG

VMware Product
ESX

Product Version
3.5

Running on
ESX

Replace with/ Apply Patch
ESX350-200808401-BG

VMware Product
ESX

Product Version
3.0.3

Running on
ESX

Replace with/ Apply Patch
ESX303-200808403-SG

VMware Product
ESX

Product Version
3.0.2

Running on
ESX

Replace with/ Apply Patch
ESX-1005109 ESX-1005114 ESX-1005113

VMware Product
ESX

Product Version
3.0.1

Running on
ESX

Replace with/ Apply Patch
ESX-1005112 ESX-1005108 ESX-1005111

VMware Product
ESX

Product Version
2.5.5

Running on
ESX

Replace with/ Apply Patch
ESX 2.5.5 upgrade patch 10 or later

VMware Product
ESX

Product Version
2.5.4

Running on
ESX

Replace with/ Apply Patch
ESX 2.5.4 upgrade patch 21

* hosted products are VMware Workstation, Player, ACE, Server, Fusion

II ESX Service Console rpm updates

a. update to bind

This update upgrades the service console rpms for bind-utils andbind-lib to version 9.2.4-22.el3.Version 9.2.4.-22.el3 addresses the recently discoveredvulnerability in the BIND software used for Domain Nameresolution (DNS). VMware doesn't install all the BIND packageson ESX Server and is not vulnerable by default to the reportedvulnerability. Of the BIND packages, VMware only ships bind-utiland bind-lib in the service console and these components bythemselves cannot be used to setup a DNS server. Bind-lib andbind-util are used in client DNS applications like nsupdate,nslookup, etc.VMware explicitly discourages installing applications like BINDon the service console. In case the customer has installed BIND,and the DNS server is configured to support recursive queries,their ESX Server system is affected and they should replace BINDwith a patched version.Note: ESX Server will use the DNS server on the network it ison, so it is important to patch that DNS server.The Common Vulnerabilities and Exposures project (cve.mitre.org)has assigned the name CVE-2008-1447 to this issue.